Monday, 9 March 2015

Basic data protection principles in the proposed Data Protection Regulation: Back to the Future?

Steve Peers

So far, 2015 is not like the Back to the Future movies promised it
would be like. In particular, there are no hoverboards (drones are a poor
substitute). Moreover, instead of agreeing a data protection framework fully
fit for 2015, the Council is probably about to agree that the key principles of
the law should remain as they were in 1995 – which might as well be 1985 (or
even 1955) in terms of technology law.

Background

The negotiations on the EU’s
proposed General Data Protection Regulation finally seem to be nearing the
final stretch, as far as the Council is concerned. Member States’ ministers in
the Council seem likely to agree later this week on two more parts of the
proposed Regulation: on basic principles of data protection (text here)
and on supervisory authorities, including the idea of a ‘one-stop shop’ for
data protection supervision (text here).

Previously they had agreed on three
other parts of the Regulation, namely rules on: territorial scope and external
relations (see discussion here); public-interest exceptions (see here);
and the roles of data controllers and processors (see here; see particularly
the discussion of the ‘privacy seals’ rules here). (For full consolidated
text of everything the Council has agreed to date, see here). If the
proposed texts on principles and data protection authorities are indeed agreed
this week, the Council mainly only has to agree on the scope and definitions in
the Regulation, along with the rights of data subjects, such as the right to be
forgotten (see discussion of the proposed text on that issue here), and
related individual remedies.

This blog post focusses on the
issue of basic data protection principles. The Commission’s proposalsuggested some fairly modest changes to these basic rules as compared to the
current data protection Directive, although the European Parliament (EP)
would like to go further than the Commission (see its position here).
However, the Council’s position would entail very modest changes indeed to the
status quo. For this aspect of data protection law, if the Council has its way,
the EU’s lengthy legislative reform journey would end up much where it
originally started.

Details

Currently, the data protection
Directive begins with a clause (Article 5) which appears to give the Member
States a great deal of discretion in how to apply the Directive. The CJEU
effectively sidelined that clause in its ASNEF
judgment, emphasising instead the need for uniform interpretation of the
Directive. The new Regulation would suppress this clause entirely, but the
Council in particular wants to reintroduce a number of specific provisions
referring back to national law. So in some respects, the current Directive
resembles a Regulation already – but conversely, the future Regulation will
continue to resemble a Directive.

The basic principles of data
protection as proposed and (nearly) agreed by the EU institutions are similar
to the current Directive: fair and lawful processing; purpose limitation; data
minimisation; accuracy; and storage minimisation. The changes would concern:
the addition of ‘transparency’; some express protection for archiving or other
scientific purposes; and the insertion of data security (by both the EP and the
Council). The EP also suggests that the effective protection of rights should
be listed as one of the principles. This is a useful suggestion, since although
it might seem at first sight that such effective protection is a procedural,
not a substantive rule, in the field of data protection it is necessary to
ensure that procedural rights are built in to the system (the so-called
‘privacy by design’). An example would be a social network that makes it easy
to complain that the user’s privacy has been violated.

Next, the proposal sets out the
grounds for processing personal data, again based on the current Directive:
consent; contract; compliance with a legal obligation; vital interests of the
data subject; public interest or official authority; or legitimate interest of
the controller or a third party, subject to an override for the privacy of the
data subject. The latter rule is particularly important for the private sector,
in the absence of consent or a contract, and the case law points in different
directions. In ASNEF, the CJEU ruled that
Member States restricted direct marketing companies too much in the interests
of consumers, but in Google Spain
(discussed here) it ruled that the privacy interests of those named in
search results overrode Google’s financial interests as regards its search
engine.

The rules would be amended to:
refer to consent for specific purposes; extend to the vital interests of another person (according to the
Council); and consider the interests of children as regards the ‘legitimate
interests’ clause. (The Commission proposal, agreed by the EP, defines a child
as anyone under 18; the Council has not agreed this definition yet). Also, the
Commission would like to remove the possibility that the legitimate interests
of third parties are a ground for processing, but the EP and Council both want
to keep this. However, the EP wants to add an important new proviso that such
private interests are linked to the ‘reasonable expectations’ of the data
subject.The Council also wants to
retain the current rule that consent must be ‘unambiguous’, while the EP and
Commission want to delete this adjective.

Furthermore, the institutions
differ greatly on what happens if the purpose of data processing is changed.
The Commission proposes that changing the purpose should be acceptable on any
of the grounds for the initial processing of the data, except for the
legitimate interests of the controller. The Council wants to allow a change of
purpose for any of the grounds for the initial processing, including the legitimate interests of the controller; while the EP
does not want to provide expressly for any incompatible processing at all. The
Council’s position in particular would turn the purpose limitation principle
into the very smallest of figleaves.

One of the most significant
changes in the new rules would be a definition of consent (the CJEU has not yet
been asked to clarify this concept under the current Directive). All the
institutions agree that the data controller would have to prove consent. The
Council’s version would add some very useful rules requiring the data
controller to use plain language, while the EP would specify that the relevant
contractual terms would be void. The institutions also agree that there should
be an express power for the data subject to withdraw consent, although it’s
arguable that such a power already exists implicitly under the current rules.
Finally, the Commission wants a new clause that would reject the possibility of
consent if there is a ‘significant imbalance’ between the data subject and the
data controller, and the EP wants to disapply contract terms which are
unnecessary for supplying a service. However, the Council rejects entirely the
idea that the Regulation should protect Davids from Goliaths.

The other significant change
would be a specific rule on children. The Commission proposes that information
society services must get the consent of the parents of children under 13. This
broadly reflects social networks’ practice of either requiring consent or not
permitting younger children to join their network (as we know, this is not
fully effective in practice). But the Council version, if agreed, will refer
instead to national laws on contract, removing the reference to a particular
age. For its part, the EP would broaden the scope of the clause to refer to all
supply of goods and services, and would also add a very useful ‘plain language’
clause. Unfortunately, none of the EU institutions propose an amendment which
would enormously improve the lives of parents across Europe: an EU-wide
hour-long daily limit on children playing Minecraft.

Next, the proposed Regulation
keeps largely intact the supposed prohibition on processing so-called sensitive
personal data, namely data on racial origin, political opinions, religious
beliefs, trade union membership and health or sex life. All institutions agree
to add ‘genetic data’ to this list. The EP and Commission also want to add
criminal convictions, but the Council wants to retain the current separate rule
on this type of data. Furthermore, the EP wants to add sexual orientation,
gender identity and biometric data to the list.

The ‘prohibition’ on processing
such data is a legal fiction, since both the current rules and the proposed
Regulation allow it to be processed on a number of grounds. In fact, the
Council will likely agree to extend those grounds, to include social security
and social protection, judicial activities, public health and archiving. The Council
also wants to retain the current rule that consent by the data subject must be
‘explicit’, while the EP wants to add the possibility of processing based on a
contract.

Finally, both the EP and the
Council want to strengthen the current rule providing that the data controller
is not obliged to obtain further data on the excuse that it has to identify the
data subject in order to apply data protection law.

Comments

In summary, the Council’s likely
version of the future Regulation would only differ from the current Regulation
as regards: new principles of transparency and security; a new definition of
consent; a largely cosmetic clause on children’s consent (since it refers back
to national law); and a small extension of the list of sensitive data, coupled
with a bigger list of exceptions to the prohibition on processing that data.

For its part, the EP would: add a
new principle of effective exercise of rights; adjust the balance of interests
between the data subject and data controller; limit incompatible further
processing; curtail questionable contract terms; strengthen children’s rights;
and widen the scope of the concept of sensitive data.

Despite all the fuss made over
the proposed new legislation, the Council’s changes would amount to a very marginal
change in the rules. (To be fair, though, there would be bigger changes in some
other areas of data protection law, such as the new ‘one-stop-shop’
rules).In particular, there are
manifold protections for research-related activities in the Council version of
the text: the end is clearly not as nigh for research as many advocates of it have
been predicting. The key differences between the EP and the Council concern the
balance between corporate interests and individual privacy rights, where it
seems that companies have successfully lobbied the Council to make no
significant changes, while privacy NGOs have convinced the EP to argue for
modest improvements in individual rights. The forthcoming negotiations between
the EP and the Council on the final version of the Regulation will determine
whether the new rules will genuinely be different, or will merely amount to old
cookies in new jars.